The RDP Linkedin Login plugin for WordPress contains an Improper Neutralization of Input During Web Page Generation flaw, allowing reflected cross‑site scripting. An attacker can inject malicious JavaScript that executes in a victim’s browser, potentially stealing credentials, hijacking sessions, defacing content, or executing further attacks. The CWE associated with this weakness is CWE‑79. The primary impact is on confidentiality and integrity of user data, and can also compromise user experience and trust.

The vulnerability affects Robert D Payne’s RDP Linkedin Login plugin for WordPress. All installed versions from any earlier release through version 1.7.0 are vulnerable. Sites using this plugin should verify which version they run and determine whether it falls within that range.

The CVSS score is 7.1, indicating a high severity with potential for significant impact if exploited. The EPSS score is less than 1 %, suggesting a low probability of exploitation in the near term. The vulnerability is not currently listed in the CISA KEV catalog. Being a reflected XSS flaw, the attack vector is likely via an unauthenticated request that includes crafted user input; an attacker can drive a victim’s browser to visit a malicious URL that triggers the vulnerability. Exploitation requires only that the target website is reachable and that a user clicks or visits the malicious link, making it relatively easy for attackers to target widely. Because the flaw does not require authentication or special privileges, the risk to any WordPress site that has the plugin installed remains substantial.